Introduction

This post is an update of my last post, since I am building a new machine. Since then, the Beginner’s Guide has been deprecated and has been replaced with the regular install guide. This time around, I’ve simplified my partition layout and I’m going to be using XFCE as my desktop environment. You’ll need the following before you begin:

A copy of the Arch Linux ISO (I recommend using a torrent instead of a direct download)

Explanation

I chose to use a traditional BIOS instead of UEFI, simply for convenience sake.

I chose to use a GUID Partition Table (GPT) instead of a Master Boot Record (MBR). I’m probably not going to utilize all the advantages GPT offers, but MBR seems to be on the way out.

Compared to my last guide, I’m using a much more simple partition layout. Both GPT-BIOS and /boot need to be on their own, unencrypted partitions. Then, I’ll encrypt only my third partition. See the figure below for an illustrated example.

In contrast, my last guide was using LVM on LUKS (shown below). Since LVM is only needed if you have more than one partition (in the last guide, I had swap, root, and home), I chose not to use it this time.

I did not use a swap partition, since I had 16GB of RAM. However, if you need swap, I recommend a swap file instead of a swap partition. Ubuntu recently switched to swap files by default, and it seems to be easier to manage. Instructions for creating a swap file are here.

Base Install

Step 1 – Setup your installation media

Download the Arch Linux ISO and install it to your USB flash drive, as described here. Then, set your BIOS boot order to removable media first, plug in your USB flash drive, and boot it up.

At this point, you should be automatically logged into a root prompt. Until we get a desktop environment installed and working, this is all going to be text-based and you’ll only be using the keyboard, no mouse.

root@archiso ~ #

Step 2 – Test internet connectivity

Enter the following at the prompt to test your internet connection. DHCP is enabled for wired devices on boot. If you’re using wireless, see this page.

ping 8.8.8.8

Step 3 – Update the system clock

Make sure your clock is accurate, since you’re online.

timedatectl set-ntp true
timedatectl status

Step 4 – Setup partitions

First, we need to setup partitions. However, before we do anything, we need to make sure the device mapper and encryption kernel modules are loaded with the command below.

modprobe -a dm-mod dm_crypt

Next, use the fdisk utility to find the name of your disk. More than likely, the disk will be /dev/sda.

fdisk -l

Note – I will be using /dev/sda in this guide. Please don’t copy/paste from this guide directly, as you could risk destroying your current system. I’m not responsible for anything you break 🙂

Optionally, you can erase the partition tables on your disk.

sgdisk --zap-all /dev/sda

Next, we want to use gdisk to create the partitions. The fdisk utility only works with MBR disks, while gdisk only works with GPT disks.

gdisk /dev/sda

Use the o option to create a new GPT.

Command (? for help): o
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): Y

Use the n option to create a new partition, then press Enter to use the first partition.

Command (? for help): n
Partition number (1-128, default 1):

This first partition (/dev/sda1) will be our BIOS boot partition. This partition needs to be 1M. Press Enter to select the default option for the first sector of the partition, then +1M for the last. This partition is only required when using BIOS + GPT + GRUB.

Use the n option to create a new partition, then press Enter to use the second partition.

Command (? for help): n
Partition number (2-128, default 2):

This second partition (/dev/sda2) will be our /boot partition. This partition will contain the kernel and ramdisk images, so it is suggested to be around 200MB. For an even number that will leave plenty of room for growth/changes, I’m going to use 512MB. Press Enter to select the default option for the first sector of the partition, then +512M for the last.

Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300):
Changed type of partition to 'Linux filesystem'

Use the n option to create a new partition, then press Enter to use the third partition.

Command (? for help): n
Partition number (3-128, default 3):

This third partition (/dev/sda3) will be / , which will contain the rest of the disk. Press Enter to select the default option for the first sector of the partition, then +0 to take up the remainder of the free space.

-v = verbose
-y = verify password, ask twice, and complain if they don’t match
-c = specify the cipher used
-s = specify the key size used
-h = specify the hash used
-i = number of milliseconds to spend passphrase processing (if using anything more than sha1, must be great than 1000)
–use-urandom = which random number generator to use
luksFormat = to initialize the partition and set a passphrase
/dev/sda3 = the partition to encrypt

A few notes:

you should run cryptsetup --help to view the compiled-in defaults for your system

you should consider using /dev/urandom (which is probably the default) instead of /dev/random (unless you’re in a low entropy environment like an embedded system)

XTS splits the key size in half, so to use AES-256 you need to specify a key size of 512

Finally, we need to unlock the LUKS device before we can setup filesystems. This will mount the device at /dev/mapper/crypto.

cryptsetup open /dev/sda3 cryptroot

Step 5 – Create filesystems

Next, we’re going to create filesystems for /boot and / . The partition /dev/sda1 does not need a filesystem.

Note – I have this user added to the wheel group, which we’ll need to use sudo. More on that later.

Then, change the password for your new user. Substitute logan with your username.

passwd logan

Step 13 – Install and configure a bootloader

Use pacman to install the GRUB2 bootloader.

pacman -S grub

In the GRUB2 config file, we need to set a kernel parameter. The file to edit, however, depends on which bootloader you are using. In our case, it is GRUB2, and we’ll be editing the /etc/default/grub file.

vi /etc/default/grub

Find the line GRUB_CMDLINE_LINUX=”” and add the cryptdevice parameter to specify the location of your encrypted device. The format used is cryptdevice=device:name.

Step 14 – Enable Intel Microcode updates (optional)

Step 15 – Reboot

Exit chroot, unmount any filesystems, and shutdown your machine.

exit
umount -R /mnt
shutdown -h now

Remove the USB flash drive from the laptop we inserted back in step 1.

Step 16 – Start Arch Linux

Start your machine and you should be greeted by the GRUB2 bootloader. Enter the password to unlock your encrypted partition on /dev/sda3. After the operating system loads, you should be back at a root prompt where you can login with the root username and root password you set earlier.

Step 17 – Sudo

We need to edit the /etc/sudoers file to allow use of the wheel group for our normal users. Only use visudo to edit /etc/sudoers, as it locks the file while editing, provides basic syntax checking, etc…

visudo

Uncomment the %wheel ALL=(ALL) ALL line, like below.

Before…

# %wheel ALL=(ALL) ALL

After…

%wheel ALL=(ALL) ALL

Optionally, you can uncomment the line below instead and you won’t be prompted for your password.

Before…

# %wheel ALL=(ALL) NOPASSWD: ALL

After…

%wheel ALL=(ALL) NOPASSWD: ALL

Step 18 – Networking

First, test your internet connectivity.

ping 8.8.8.8

My network device was down at first, so I brought it up and enabled DHCP (I’m doing this on a wired connection) with the commands below.

The header information and backup should be stored and treated in the same way as your data: encrypted with duplicates on multiple sets of media. If someone were to recover the LUKS backup, they could unlock your drive.

User directories

To create all of your default directories in $HOME (e.g., Documents, Music, Pictures, etc…), run the two commands below.

sudo pacman -S xdg-user-dirs
xdg-user-dirs-update

Systemd – boot performance

I’m not going to talk about whether I love systemd or hate it. Honestly, I’m not technical enough to have an opinion on it. That being said, we can use it to improve our boot performance.

To see the time taken to start each systemd unit file, enter the command below.

sudo systemd-analyze blame

At some points in the boot process, the next until file cannot proceed until the previous one loads. To see this, enter the command below at the terminal. This can give you a good idea of where pauses/hangs are happening in the boot process.

sudo systemd-analyze critical-chain

VirtualBox host support

If you’re going to be using this Arch Linux installation as a VirtualBox host, you’ll need the following packages installed.